GHSA-HQF9-8XV5-X8XW

regreSSHion: The Return of the Signal Handler Nightmare

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 5, 2026·5 min read·1 visit

Executive Summary (TL;DR)

OpenSSH's sshd server contains a race condition in its signal handling logic. If a client does not authenticate within `LoginGraceTime`, a SIGALRM is triggered. The signal handler unsafely calls `syslog()`, which is not async-signal-safe. This can interrupt the heap manager in an inconsistent state, leading to heap corruption and eventual RCE as root. Attack complexity is high, but the impact is critical.

A signal handler race condition in OpenSSH's sshd server allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems. This is a regression of a vulnerability previously patched in 2006.

Official Patches

OpenSSHOpenSSH 9.8 Release Notes

Fix Analysis (1)

Technical Appendix

CVSS Score
8.1/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
0.04%
Top 100% most exploited
14,000,000
via Shodan

Affected Systems

OpenSSH 8.5p1 through 9.7p1glibc-based Linux systems

Affected Versions Detail

Product
Affected Versions
Fixed Version
OpenSSH
OpenBSD
>= 8.5p1, < 9.8p19.8p1
AttributeDetail
CWE IDCWE-364
Attack VectorNetwork
CVSS v3.18.1 (High)
ImpactUnauthenticated RCE (Root)
Exploit StatusPoC Available / High Complexity
Root CauseSignal Handler Race Condition

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1068Exploitation for Privilege Escalation
Privilege Escalation
CWE-364
Signal Handler Race Condition

Signal Handler Race Condition

Known Exploits & Detection

QualysOriginal advisory and technical analysis by Qualys Threat Research Unit
NucleiDetection Template Available

Vulnerability Timeline

Vulnerability Publicly Disclosed by Qualys
2024-07-01
OpenSSH 9.8p1 Released
2024-07-01
Added to CISA KEV
2024-07-08

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.